How to allow active directory users to remote desktop in?

Question

This is my first time setting up or even using active directory.

I set it up, and added the computers(Actually VMs in Hyper V) to the active directory, and if if I use hyper-V to connect to the VMs, I am able to use users from the active directory domain to login to the VMs.

However, if I try to login via remote desktop, I get this error:

The connection was denied because the user account is not authorized for remote login.

I have tried:
- From within active directory, i have added the group that my user is in to Remote Desktop users.
- On the VM itself, adding the active directory group(that contains the user I am trying to login with) to Allow log on through Remote Desktop Services in Local Security Policy.

I still have the same authorization denied error.

How do I properly setup a group in active directory to be able to login with remote desktop on all of my Virtual Machines?

Thanks!

Try looking at Group Policy as well have you changed anything there? What OS's .. have you got the right level of security on the RDP sessions? i.e. Vista and above? Anything in the event logs? on local machines. MDMarra's answer should have worked.. what sort of set up have you got? OS's inside VM's etc? — Rhys Evans, Aug 20 '12 at 23:08
Dont forget to allow remoteaccess in the advanced system properties on the actual VM OS from there you can choose groups our users to allow remote access. — , Apr 19 '15 at 18:58

score 40 · Answer 1 · edited Feb 06 '18 at 19:46

40

Start → Run → secpol.msc

Security Settings\Local Policies\User Rights Assignment

Right pane → double-click on Allow log on through Remote Desktop Services → Add Users or Group → enter Remote Desktop Users
Start → Run → services.msc

Look for Remote Desktop Services and make sure the Log on account is Network Service, not Local System.
Check your event logs.

edited Feb 06 '18 at 19:46

Saikat

105
4

answered Mar 01 '13 at 06:18

Amit Naidu

814
8
11

7

This is an older post but for future reference to somebody that got stuck (as I did) the answer given above by Amit Naidu really hits the spot. The problem in my opinion is that adding a user to the group "Remote Desktop Users" (on your Active Directory) is not enough, afterwards you need to change your **LOCAL** machine policies with the command (as above) secpol.msc and add the Active Directory group "Remote Desktop Users" to your **LOCAL** allowed remote users. Also do the check mentioned on the second step it can troubleshoot your problem. Amit, thank you for your time and knowledge. – Mar 12 '13 at 21:47
3

Good stuff, I've added the `Domain Users` group to the `Remote Desktop Users` group to get a certain PC we're gearing up to share stuff with internally. – jxramos Sep 16 '16 at 00:51
For what it's worth - this is not required in a standard installation of any version of Windows. You will only need to do this if you are using an image that has been altered from the default state, for example, due to security hardening. – MDMarra Feb 15 '18 at 21:30

score 16 · Answer 2 · answered Aug 20 '12 at 21:11

16

Add the users in question to the Remote Desktop Users group on each local machine.

answered Aug 20 '12 at 21:11

MDMarra

100,734
32
197
329

2

I added the group that the users were a part of on the local machine and i was still getting that error. Interestingly, i added the user itself, and now instead of a popup with that error, RDP connects and just gives a "Access is denied" at the login screen. Any other thoughts? – user1308743 Aug 20 '12 at 21:25
This answer combined with Amit Naidu's got it working for me – Adam Feb 15 '18 at 21:26
Here's an excellent guide on doing what MDMarra is suggesting: https://support.ncomputing.com/portal/kb/articles/how-to-add-a-new-user-and-configure-remote-desktop-user-s-group-settings-on-windows-server-2016 – Adam Feb 16 '18 at 00:06

score 10 · Answer 3 · answered Aug 22 '15 at 14:42

I think i found the solution to this problem.

Open this in the workstation where you want to connect, Control Panel\System and Security\System, click Advance System Settings. On the Remote tab, on the Remote Desktop group, click the button Select Users...

Click Add and add the user that you want to have access. If you are using AD, make sure you can ping the domain. Always click Check Names, to make sure that the user you are adding are correct. ex: myusername@mydomain.com.

score 3 · Answer 4 · edited Jul 07 '21 at 17:28

Checking the Remote Desktop Services service is very important and also helps to restart it.

I was having the same problem and it was killing me. First thing to do is see if a non domain admin can RDP to and different server. If they can then you just need to worry about a local setting on that Terminal Server.

In my case I added the needed users to Remote Desktop Users group on the DC and then set the Domain Policy in Group Policy Management Console - Group Policy Objects - rt click your default domain policy - edit - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Allow log on through remote desktop services. Add "Remote Desktop Users" to this policy.

Then run: gpupdate /force

Then from your Terminal Server: Start - Administrative Tools - Remote Desktop Services - Remote Desktop Session Host Configuration - RDP-Tcp - rt clk - properties - security - Add - Domain Users - Grant then User Access and Guest Access - OK.

Then you have to go to services on the Terminal Server and restart the Remote Desktop Services service. Otherwise the RDP-Tcp setting won't take effect right away.

All users that are part of the Remote Desktop Users group and Domain Users group should now connect.

score 1 · Answer 5 · answered Aug 15 '15 at 07:13

i found the solution for this issue... but i have view questions.. is that domain user? like MSN.COM\john

if your answer yes you should go to user account properties after that go to groups and add this user to remote remote desktop user and remote management user the second thing you go to that remote computer --> go to control panel --> user accounts --> manage other user --> add other user --> after writing the name it will come automatically from the active directory if its join to domain and give this user administrator level

i was facing the same issues before and i was trying to fix it by following these steps...

score 1 · Answer 6 · answered Apr 20 '18 at 19:00

1

What worked for me was adding the user (that needs to log in) to "Remote Desktop Users" group.

Run lusrmgr.msc
Open the user's properties page
Goto "Member Of" tab
Add "Remote Desktop Users"

answered Apr 20 '18 at 19:00

laggingreflex

139
2
10

score 0 · Answer 7 · answered Aug 20 '12 at 21:45

0

At first glance I would say you did the right things...
About the only thing that comes to mind is that you used the wrong type of group.
Distribution group in stead of security group.

answered Aug 20 '12 at 21:45

Tonny

6,332
1
18
31

1

I am using security groups, which my understanding is it's the correct group to use, right? – user1308743 Aug 20 '12 at 21:48
Yes, that's right. In that case I am at a loss too. This ought to work as far as I know. – Tonny Aug 20 '12 at 21:56
It is a security group you're after – Rhys Evans Aug 20 '12 at 23:03

How to allow active directory users to remote desktop in?

7 Answers7